Logging EJB method calls even when user is not in role

I'm trying to log some security information about an EJB based JEE application. Therefore I specifically want to log which method is called at what time and which user is trying to call it.

Currently I have simply written an Interceptor, injected the SessionContext and thus log via SessionContext.getCallerPrincipal() and InvocationContext.getMethod().

The problem is that I also want to log users trying to call methods they are not allowed to use. So if a method is only allowed via @RolesAllowed for the user group "Manager", but a user of the group "Employee" tries to call it, the interceptor logging method is never called, because the application server already restricts the business method call in the first place, so the logging method in my interceptor never gets triggered.

Is there any way to log such information including failed calls due to sucurity restrictions? These method calls out of someones permissions is actually the most interesting thing for me to log.

Also on another note, is there a way to only write such a log file at the end of a user session? Currently i create a JSON file every time the interceptor method gets invoked and save it to my disk, which clearly isn't optimal. It would be great if i could just gather the log information at runtime with the interceptor and only save it to the disk as the user logs out. Is there any such way to do this?

Is there any way to log such information including failed calls due to sucurity restrictions? These method calls out of someones permissions is actually the most interesting thing for me to log.

No, there is nothing like that in the EE-specs.

What about putting an EJB in front of your current EJB and annotate that with an @PermitAll on that class (sort of dispatcher). The front EJB logs all method calls and than dispatches it to the secure EJB.

Also on another note, is there a way to only write such a log file at the end of a user session? Currently i create a JSON file every time the interceptor method gets invoked and save it to my disk, which clearly isn't optimal. It would be great if i could just gather the log information at runtime with the interceptor and only save it to the disk as the user logs out. Is there any such way to do this?

If it is a Stateless Session Bean I can't really think of any other solution...

Frank Gradzik

Greenhorn

Posts: 2

posted 8 months ago

Hm, alright then. The dispatcher-type EJB idea is quite nice though, I might look into that.
My original idea was that I could write this as a re-usable tool, so that I could just simply export this logging Interceptor into a .jar and use this as a default-interceptor in every EJB based JEE project I would like to have monitored. This way I dont need to weave in a bunch of logging/monitoring code into the business code.

The logging EJB in front of the actual business logic EJB would kind of hinder that though I guess, as it is probably quite complicated (if possible at all) to design this in some kind of generic way so that it can be used as a component in different JEE projects. I guess some EJB would be needed that takes all business method calls and forwards them to the respective business logic EJB after logging the action, which sounds impossible to me...

For a specific project I am willing to weave in the logging code into the business code this a possible solution though I think.